Role Based User Interface Creation Using Spring JSP Taglibs
Spring Security provides jsp taglibs for customizing User Interface
according the authenticated user’s role. We can make it possible to show
some ui portion to user with role admin and not to others.
This tutorial is based on the previous Spring Security Tutorials. You should first read Getting Started with Spring Security tutorial and then read this tutorial for better understanding.
- Spring MVC 3.0.3
- Spring JDBC 3.0.5
- Spring Security 3.0.5
- Eclipse Indigo 3.7
- Tomcat 6
- Jdk 1.6
Including Spring Security JSP Taglib
We have to add Spring Security Taglib to our jsp file to use this feature of role based user interface modification:
<%@ taglib uri="http://www.springframework.org/security/tags" prefix="sec" %>
Authorize tag in Spring Security taglib
Authorize tag is used for role based user interface creation. For example, if we want to create a jsp portion that will be visible to user with role “ROLE_ADMIN”, it will like following code:
<sec:authorize access="hasRole('ROLE_ADMIN')">
This session will be visible to an admin only.<br/>
You are an Administrator.<br/>
</sec:authorize>
If we put this code to jsp, the message will be shown only to the users with role “ROLE_ADMIN”. access” attribute is used to specify the Spring Security EL Expression and if the expression returns true for the loged in user only then the HTML code within “<sec:authorize/>” tag will be shown to user. The expression in access attribute is send to
WebSecurityExpressionHandler
defined in the web context. So we have to add WebSecurityExpressionHandler
to out security context. It can be done in two ways:- Use default
WebSecurityExpressionHandler
, which will be only available if we specify use-expressions=”true” in our Spring Security Configuration file under <http/> tag. - Register your
WebSecurityExpressionHandler
in Spring Security Configuration file.
Common built-in expressions
Following are the common expressions that can be used in access attribute of “<sec:authorize/>” tag:
hasRole([role])
: Returns true only if the login user has the role specified in [role].hasAnyRole([role1,role2])
: Returns true only if the login user has atleast one role specified in [role1,role2]. The roles will be specified in comma separated format.isAnonymous()
: Returns true only is the login user is an anonymous user.isAuthenticated()
: Returns true if the user is not an anonymous user.isFullyAuthenticated()
: Returns true if the user is not an anonymous user or a remember me user.isRememberMe()
: Returns true if the user is a remember me user.
Our Example:
Modifying Spring Security Configuration File (spring-security.xml)<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http realm="Project Realm" auto-config="true" use-expressions="true">
<intercept-url pattern="/auth/**" filters="none"/>
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
<form-login login-page="/auth/login.jsp" authentication-failure-url="/auth/login.jsp?login_error=1"/>
<logout logout-success-url="/auth/login.jsp"/>
<remember-me />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN"/>
<user name="customer" password="customer" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</b:beans>
We have modified security.xml to:
- Create two users of different roles.
- Specify the attribute use-expressions=”true” in <http/> tag.
- Provide both the user access to the page url “/**”.
Modifing welcome.jsp
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<%@ page session="true" %>
<%@ taglib uri="http://java.sun.com/jstl/core" prefix="c"%>
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Spring Security 3 JSP Taglibs- This is a secure page</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
</head>
<body>
<h1>Welcome!</h1><br />
<sec:authorize access="hasRole('ROLE_ADMIN')">
This session will be visible to an admin only.<br/>
You are an Administrator.<br/>
</sec:authorize>
<sec:authorize access="hasRole('ROLE_USER')">
This session will be visible to an Customer only.<br/>
You are an Customer.<br/>
</sec:authorize>
${HelloMessage}<br />
<a href="<c:url value="/j_spring_security_logout"/>">Logout</a>
</body>
</html>
We have just added two message. One for admin user and another for customer user.
0 comments:
Post a Comment